Amazon was not aware of the potential issue when it acquired Elemental—a compromise to supply chains, malicious chips from China, hardware modifications in Elemental’s data centers. The question everyone asks is, Did China really hack Amazon? The answer is, Not directly. Other major tech companies such as Apple were vulnerable to the same potential “Big Hack” through a microchip embedded on the motherboard in the manufacturing process that would create a back door for malicious activity to overrun the server. This microchip was embedded on Super Micro Computer machines; Super Micro just happens to be world’s largest supplier of motherboards.

Amazon’s response to this allegation was that it was simply untrue. During an examination of third-party security reviews and audits from 2015, Amazon stated that it found no evidence to support claims that these microchips were embedded in Elemental’s motherboards, although the audit did discover issues with the web application that Super Micro manages. The problems were discussed and addressed prior to the acquisition of Elemental. The vulnerability with the managed web application had been disclosed in 2013 in previously released versions. Any customers that connected to Super Micro servers were protected by default because Elemental’s hardware wasn’t designed to connect to the public internet and therefore never connected the traffic. Customers were given instructions in 2014 to download a new version of the Super Micro web application because the Elemental hardware didn’t come preloaded with the updated application. (The hardware included the updated application in versions after January 2014.) The result of the audit was that the issues were either already corrected by the time Amazon acquired Elemental or were fixed if customers used the hardware as intended.

In June 2017, researchers exposed the vulnerabilities in the Super Micro firmware, causing a public stir. Amazon contacted all affected customers and recommended that they apply firmware updates. Both Amazon and Super Micro assured the public that no malicious chip had affected their services and support to customers. Amazon claims that it has not engaged in a government investigation of this issue. Super Micro said in a statement that it had never found malicious chips on any of its systems.

For consumers, this story cast doubt about the validity of these statements. Although possible, such an attack is unlikely. Reports state that such a large-scale supply chain attack would be difficult to pull off. Consumers are encouraged to do their own research and reach their own conclusions. As one of the largest retailers and service providers in the world, Amazon isn’t likely to give the public a false sense of security. The vulnerabilities may just be a story for now, but as technology advances, so do strict security measures to counterattack threats.

Some name

Anthony has extensive IT support and systems engineering experience in government environments. He has led staff; worked in network operations support, information assurance, and change management; managed project software and licenses; and provided quality assurance. Anthony is currently working on his Ph.D. dissertation in Organizations and Management with a specialty in IT Management. He is an analyst with Studio B.